Merge branch 'master' into default_username_for_session

.github/workflows/issue-reprioritization.yml

@@ -7,6 +7,7 @@ jobs:
   issue-reprioritization:
     permissions:
       issues: write
+      repository-projects: write
     runs-on: ubuntu-latest
     steps:
       - uses: kaizencc/issue-reprioritization-manager@main
@@ -16,6 +17,7 @@ jobs:
           original-label: p2
           new-label: p1
           reprioritization-threshold: 20
+          project-column-url: https://github.com/aws/aws-cdk/projects/13#column-18002436
       - uses: kaizencc/pr-triage-manager@main
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -2,6 +2,39 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.157.0](https://github.com/aws/aws-cdk/compare/v1.156.1...v1.157.0) (2022-05-20)
+
+
+### Features
+
+* **cfnspec:** cloudformation spec v69.0.0 ([#20240](https://github.com/aws/aws-cdk/issues/20240)) ([e82b63f](https://github.com/aws/aws-cdk/commit/e82b63fc8880ecbd5e29d02e3e623cda3bbce1d6)) and ([#20331](https://github.com/aws/aws-cdk/issues/20331)) ([e9de4e9](https://github.com/aws/aws-cdk/commit/e9de4e9ab6bc44ff691238d91a8945c880a4d97c))
+* **cfnspec:** cloudformation spec v72.0.0 ([#20357](https://github.com/aws/aws-cdk/issues/20357)) ([c8fd84c](https://github.com/aws/aws-cdk/commit/c8fd84c12c726e216c10380f9fe7e5d55a892cdf))
+* **cli:** make ecr images immutable when created from cdk bootstrap ([#19937](https://github.com/aws/aws-cdk/issues/19937)) ([0ef4bb4](https://github.com/aws/aws-cdk/commit/0ef4bb4bf493a7e3b72b518841f676e91d014ba9)), closes [#18376](https://github.com/aws/aws-cdk/issues/18376)
+* **cloud9:** configure Connection Type of Ec2Environment ([#20250](https://github.com/aws/aws-cdk/issues/20250)) ([01708bc](https://github.com/aws/aws-cdk/commit/01708bc7cf842eab7e1d1fc58bf42e4724624c0a)), closes [#17027](https://github.com/aws/aws-cdk/issues/17027)
+* **cloudfront:** REST API origin ([#20335](https://github.com/aws/aws-cdk/issues/20335)) ([f7693e3](https://github.com/aws/aws-cdk/commit/f7693e3f981f60886c94fb61876a1e5e0f2c1a02))
+* **cognito:** `grant()` for user pool ([#20285](https://github.com/aws/aws-cdk/issues/20285)) ([10d13e4](https://github.com/aws/aws-cdk/commit/10d13e4bc1841721650f9ca9b6b16e18c219ea21))
+* **core:** allow disabling of LogicalID Metadata in case of large manifest ([#20433](https://github.com/aws/aws-cdk/pull/20433)) ([88ea829](https://github.com/aws/aws-cdk/commit/88ea829b5d0a64f51848474b6b9f006d1f729fb4)), closes [#20211](https://github.com/aws/aws-cdk/issues/20211)
+* **ec2:** more router types ([#20151](https://github.com/aws/aws-cdk/issues/20151)) ([33b983c](https://github.com/aws/aws-cdk/commit/33b983ca76c91f182e60dcab8c6ead6be4d4712d)), closes [#19057](https://github.com/aws/aws-cdk/issues/19057) [/docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html#aws-resource-ec2](https://github.com/aws//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html/issues/aws-resource-ec2)
+* **iam:** validate role path at build time ([#16165](https://github.com/aws/aws-cdk/issues/16165)) ([65a5a46](https://github.com/aws/aws-cdk/commit/65a5a46837c42b2538837a699267ec9cc46ddc51)), closes [#13747](https://github.com/aws/aws-cdk/issues/13747)
+* **integ-tests:** enhancements to integ-tests ([#20180](https://github.com/aws/aws-cdk/issues/20180)) ([3ff3fb7](https://github.com/aws/aws-cdk/commit/3ff3fb7c5ec9636022b3046036376c09a3166fb0))
+* **logs:** additional log retention periods ([#20347](https://github.com/aws/aws-cdk/issues/20347)) ([734faa5](https://github.com/aws/aws-cdk/commit/734faa5ae7489a511d5a00f255d7afd408db880c)), closes [#20346](https://github.com/aws/aws-cdk/issues/20346)
+* **s3:** add `noncurrentVersionsToRetain` property to lifecycle rule ([#20348](https://github.com/aws/aws-cdk/issues/20348)) ([85604d9](https://github.com/aws/aws-cdk/commit/85604d929978aa1c645dba8959d682892278f862)), closes [#19784](https://github.com/aws/aws-cdk/issues/19784)
+
+
+### Bug Fixes
+
+* **amplify:** custom headers break with tokens ([#20395](https://github.com/aws/aws-cdk/issues/20395)) ([765f441](https://github.com/aws/aws-cdk/commit/765f44177298b645c88a29587b52619e91a8757c))
+* **apigateway:** arnForExecuteApi fails on tokenized path ([#20323](https://github.com/aws/aws-cdk/issues/20323)) ([f7732a1](https://github.com/aws/aws-cdk/commit/f7732a1b06927d84e79ea1c9fb671ad184a9efea)), closes [#20252](https://github.com/aws/aws-cdk/issues/20252)
+* **assets:** parallel docker image publishing fails on macOS ([#20117](https://github.com/aws/aws-cdk/issues/20117)) ([a58a803](https://github.com/aws/aws-cdk/commit/a58a8037b79636e9f973beff2483baecad73f15d)), closes [#20116](https://github.com/aws/aws-cdk/issues/20116)
+* **cfn-include:** allow CFN Functions in Tags ([#19923](https://github.com/aws/aws-cdk/issues/19923)) ([4df9a4f](https://github.com/aws/aws-cdk/commit/4df9a4fa9ef24266b2bcde378ecc112c7dcaf8aa)), closes [#16889](https://github.com/aws/aws-cdk/issues/16889)
+* **cli:** allow SSO profiles to be used as source profiles ([#20340](https://github.com/aws/aws-cdk/issues/20340)) ([a0b29e9](https://github.com/aws/aws-cdk/commit/a0b29e9f29775bfd94307a8975f5ba3a8faf05fa)), closes [#19897](https://github.com/aws/aws-cdk/issues/19897)
+* **cloudwatch-actions:** stack partition is hardcoded 'aws' in action arn ([#20224](https://github.com/aws/aws-cdk/issues/20224)) ([0eb6c3b](https://github.com/aws/aws-cdk/commit/0eb6c3bb5853194f8727fc2cd3b1c9acb6eea20f)), closes [#19765](https://github.com/aws/aws-cdk/issues/19765)
+* **eks:** Cluster.FromClusterAttributes ignores KubectlLambdaRole ([#20373](https://github.com/aws/aws-cdk/issues/20373)) ([7e824ab](https://github.com/aws/aws-cdk/commit/7e824ab40772dc888aec7986e343b12ec1032657)), closes [#20008](https://github.com/aws/aws-cdk/issues/20008)
+* **iam:** AccountPrincipal accepts values which aren't account IDs ([#20292](https://github.com/aws/aws-cdk/issues/20292)) ([d0163f8](https://github.com/aws/aws-cdk/commit/d0163f8a3d14e38f67b381c569b5bd3af92c4f51)), closes [#20288](https://github.com/aws/aws-cdk/issues/20288)
+* **pipelines:** specifying the Action Role for CodeBuild steps ([#18293](https://github.com/aws/aws-cdk/issues/18293)) ([719edfc](https://github.com/aws/aws-cdk/commit/719edfcb949828a423be2367b5c85b0e9a9c1c12)), closes [#18291](https://github.com/aws/aws-cdk/issues/18291) [#18291](https://github.com/aws/aws-cdk/issues/18291)
+* **rds:** tokens should not be lowercased ([#20287](https://github.com/aws/aws-cdk/issues/20287)) ([5429e55](https://github.com/aws/aws-cdk/commit/5429e55126db7556dd2eb2d5e30a50976b5f6ee4)), closes [#18802](https://github.com/aws/aws-cdk/issues/18802)
+* **secretsmanager:** automatic rotation cannot be disabled ([#18906](https://github.com/aws/aws-cdk/issues/18906)) ([c50d60c](https://github.com/aws/aws-cdk/commit/c50d60ca9417c771ca31cb330521e0e9f988e3fd)), closes [#18749](https://github.com/aws/aws-cdk/issues/18749)
+
 ## [1.156.1](https://github.com/aws/aws-cdk/compare/v1.156.0...v1.156.1) (2022-05-12)
 
 ## [1.156.0](https://github.com/aws/aws-cdk/compare/v1.155.0...v1.156.0) (2022-05-11)

README.md

@@ -25,7 +25,6 @@ The CDK is available in the following languages:
 * Java ([Java ≥ 8](https://www.oracle.com/technetwork/java/javase/downloads/index.html) and [Maven ≥ 3.5.4](https://maven.apache.org/download.cgi))
 * .NET ([.NET Core ≥ 3.1](https://dotnet.microsoft.com/download))
 * Go ([Go ≥ 1.16.4](https://golang.org/))
-  - Go is currently in developer preview and is not recommended for production use.
 
 \
 Jump To:

package.json

@@ -80,12 +80,8 @@
       "@aws-cdk/assertions-alpha/fs-extra/**",
       "@aws-cdk/assertions/fs-extra",
       "@aws-cdk/assertions/fs-extra/**",
-      "@aws-cdk/aws-amplify-alpha/yaml",
-      "@aws-cdk/aws-amplify-alpha/yaml/**",
       "@aws-cdk/aws-iot-actions-alpha/case",
       "@aws-cdk/aws-iot-actions-alpha/case/**",
-      "@aws-cdk/aws-amplify/yaml",
-      "@aws-cdk/aws-amplify/yaml/**",
       "@aws-cdk/aws-codebuild/yaml",
       "@aws-cdk/aws-codebuild/yaml/**",
       "@aws-cdk/aws-codepipeline-actions/case",

packages/@aws-cdk/aws-amplify/NOTICE

@@ -1,23 +1,2 @@
 AWS Cloud Development Kit (AWS CDK)
 Copyright 2018-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
--------------------------------------------------------------------------------
-
-The AWS CDK includes the following third-party software/licensing:
-
-** yaml - https://www.npmjs.com/package/yaml
-Copyright 2018 Eemeli Aro <[email protected]>
-
-Permission to use, copy, modify, and/or distribute this software for any purpose
-with or without fee is hereby granted, provided that the above copyright notice
-and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
-TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
-THIS SOFTWARE.
-
-----------------

packages/@aws-cdk/aws-amplify/lib/app.ts

@@ -2,7 +2,6 @@ import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as iam from '@aws-cdk/aws-iam';
 import { IResource, Lazy, Resource, SecretValue } from '@aws-cdk/core';
 import { Construct } from 'constructs';
-import * as YAML from 'yaml';
 import { CfnApp } from './amplify.generated';
 import { BasicAuth } from './basic-auth';
 import { Branch, BranchOptions } from './branch';
@@ -515,11 +514,18 @@ export interface CustomResponseHeader {
 }
 
 function renderCustomResponseHeaders(customHeaders: CustomResponseHeader[]): string {
-  const modifiedHeaders = customHeaders.map(customHeader => ({
-    ...customHeader,
-    headers: Object.entries(customHeader.headers).map(([key, value]) => ({ key, value })),
-  }));
+  const yaml = [
+    'customHeaders:',
+  ];
+
+  for (const customHeader of customHeaders) {
+    yaml.push(`  - pattern: "${customHeader.pattern}"`);
+    yaml.push('    headers:');
+    for (const [key, value] of Object.entries(customHeader.headers)) {
+      yaml.push(`      - key: "${key}"`);
+      yaml.push(`        value: "${value}"`);
+    }
+  }
 
-  const customHeadersObject = { customHeaders: modifiedHeaders };
-  return YAML.stringify(customHeadersObject);
+  return `${yaml.join('\n')}\n`;
 }

packages/@aws-cdk/aws-amplify/package.json

@@ -87,7 +87,6 @@
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.5.0",
-    "@types/yaml": "1.9.6",
     "aws-sdk": "^2.848.0"
   },
   "dependencies": {
@@ -101,12 +100,8 @@
     "@aws-cdk/aws-secretsmanager": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/custom-resources": "0.0.0",
-    "constructs": "^3.3.69",
-    "yaml": "1.10.2"
+    "constructs": "^3.3.69"
   },
-  "bundledDependencies": [
-    "yaml"
-  ],
   "peerDependencies": {
     "@aws-cdk/aws-codebuild": "0.0.0",
     "@aws-cdk/aws-codecommit": "0.0.0",

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/cdk-amplify-app.template.json

@@ -56,7 +56,18 @@
      },
      "Username": "aws"
     },
-    "CustomHeaders": "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-1\n      - key: custom-header-name-2\n        value: custom-header-value-2\n  - pattern: /path/*\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-2\n",
+    "CustomHeaders": {
+     "Fn::Join": [
+      "",
+      [
+       "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-1\"\n      - key: \"custom-header-name-2\"\n        value: \"custom-header-value-2\"\n  - pattern: \"/path/*\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-2\"\n      - key: \"x-aws-url-suffix\"\n        value: \"this-is-the-suffix-",
+       {
+        "Ref": "AWS::URLSuffix"
+       },
+       "\"\n"
+      ]
+     ]
+    },
     "CustomRules": [
      {
       "Source": "/source",

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"19.0.0"}

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/integ.json

@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "19.0.0",
   "testCases": {
-    "aws-amplify/test/integ.app": {
+    "integ.app": {
       "stacks": [
         "cdk-amplify-app"
       ],

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "19.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/tree.json

@@ -113,7 +113,18 @@
                         ]
                       }
                     },
-                    "customHeaders": "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-1\n      - key: custom-header-name-2\n        value: custom-header-value-2\n  - pattern: /path/*\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-2\n",
+                    "customHeaders": {
+                      "Fn::Join": [
+                        "",
+                        [
+                          "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-1\"\n      - key: \"custom-header-name-2\"\n        value: \"custom-header-value-2\"\n  - pattern: \"/path/*\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-2\"\n      - key: \"x-aws-url-suffix\"\n        value: \"this-is-the-suffix-",
+                          {
+                            "Ref": "AWS::URLSuffix"
+                          },
+                          "\"\n"
+                        ]
+                      ]
+                    },
                     "customRules": [
                       {
                         "source": "/source",

packages/@aws-cdk/aws-amplify/test/app.test.ts

@@ -417,11 +417,28 @@ test('with custom headers', () => {
           'custom-header-name-1': 'custom-header-value-2',
         },
       },
+      {
+        pattern: '/with-tokens/*',
+        headers: {
+          'x-custom': `${'hello'.repeat(10)}${Stack.of(stack).urlSuffix} `,
+        },
+      },
     ],
   });
 
   // THEN
   Template.fromStack(stack).hasResourceProperties('AWS::Amplify::App', {
-    CustomHeaders: 'customHeaders:\n  - pattern: "*.json"\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-1\n      - key: custom-header-name-2\n        value: custom-header-value-2\n  - pattern: /path/*\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-2\n',
+    CustomHeaders: {
+      'Fn::Join': [
+        '',
+        [
+          'customHeaders:\n  - pattern: "*.json"\n    headers:\n      - key: "custom-header-name-1"\n        value: "custom-header-value-1"\n      - key: "custom-header-name-2"\n        value: "custom-header-value-2"\n  - pattern: "/path/*"\n    headers:\n      - key: "custom-header-name-1"\n        value: "custom-header-value-2"\n  - pattern: "/with-tokens/*"\n    headers:\n      - key: "x-custom"\n        value: "hellohellohellohellohellohellohellohellohellohello',
+          {
+            Ref: 'AWS::URLSuffix',
+          },
+          ' "\n',
+        ],
+      ],
+    },
   });
 });

packages/@aws-cdk/aws-amplify/test/integ.app.ts

@@ -21,6 +21,7 @@ class TestStack extends Stack {
           pattern: '/path/*',
           headers: {
             'custom-header-name-1': 'custom-header-value-2',
+            'x-aws-url-suffix': `this-is-the-suffix-${Stack.of(this).urlSuffix}`,
           },
         },
       ],

packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -1,7 +1,7 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import { IVpcEndpoint } from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
-import { ArnFormat, CfnOutput, IResource as IResourceBase, Resource, Stack } from '@aws-cdk/core';
+import { ArnFormat, CfnOutput, IResource as IResourceBase, Resource, Stack, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { ApiDefinition } from './api-definition';
 import { ApiKey, ApiKeyOptions, IApiKey } from './api-key';
@@ -368,7 +368,7 @@ export abstract class RestApiBase extends Resource implements IRestApi {
   }
 
   public arnForExecuteApi(method: string = '*', path: string = '/*', stage: string = '*') {
-    if (!path.startsWith('/')) {
+    if (!Token.isUnresolved(path) && !path.startsWith('/')) {
       throw new Error(`"path" must begin with a "/": '${path}'`);
     }
 

packages/@aws-cdk/aws-apigateway/test/restapi.test.ts

@@ -1,7 +1,7 @@
 import { Template } from '@aws-cdk/assertions';
 import { GatewayVpcEndpoint } from '@aws-cdk/aws-ec2';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
-import { App, CfnElement, CfnResource, Stack } from '@aws-cdk/core';
+import { App, CfnElement, CfnResource, Lazy, Stack } from '@aws-cdk/core';
 import * as apigw from '../lib';
 
 describe('restapi', () => {
@@ -424,6 +424,16 @@ describe('restapi', () => {
     expect(() => api.arnForExecuteApi('method', 'hey-path', 'stage')).toThrow(/"path" must begin with a "\/": 'hey-path'/);
   });
 
+  test('"executeApiArn" path can be a token', () => {
+    // GIVEN
+    const stack = new Stack();
+    const api = new apigw.RestApi(stack, 'api');
+    api.root.addMethod('GET');
+
+    // THEN
+    expect(() => api.arnForExecuteApi('method', Lazy.string(({ produce: () => 'path' })), 'stage')).not.toThrow();
+  });
+
   test('"executeApiArn" will convert ANY to "*"', () => {
     // GIVEN
     const stack = new Stack();

packages/@aws-cdk/aws-apigatewayv2/lib/http/vpc-link.ts

@@ -99,7 +99,7 @@ export class VpcLink extends Resource implements IVpcLink {
 
     this.vpcLinkId = cfnResource.ref;
 
-    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE });
+    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT });
     this.addSubnets(...subnets);
 
     if (props.securityGroups) {

packages/@aws-cdk/aws-apprunner/README.md

@@ -134,3 +134,29 @@ ECR image repositories (but not for ECR Public repositories). If not defined, a
 when required.
 
 See [App Runner IAM Roles](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles) for more details.
+
+## VPC Connector
+
+To associate an App Runner service with a custom VPC, define `vpcConnector` for the service.
+
+```ts
+import * as ec2 from '@aws-cdk/aws-ec2';
+
+const vpc = new ec2.Vpc(this, 'Vpc', {
+  cidr: '10.0.0.0/16',
+});
+
+const vpcConnector = new apprunner.VpcConnector(this, 'VpcConnector', {
+  vpc,
+  vpcSubnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PUBLIC }),
+  vpcConnectorName: 'MyVpcConnector',
+});
+
+new apprunner.Service(this, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: { port: 8000 },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  vpcConnector,
+});
+```

packages/@aws-cdk/aws-apprunner/lib/index.ts

@@ -1,3 +1,4 @@
 // AWS::AppRunner CloudFormation Resources:
 export * from './apprunner.generated';
 export * from './service';
+export * from './vpc-connector';

packages/@aws-cdk/aws-apprunner/lib/service.ts

@@ -4,6 +4,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnService } from './apprunner.generated';
+import { IVpcConnector } from './vpc-connector';
 
 /**
  * The image repository types
@@ -524,6 +525,13 @@ export interface ServiceProps {
    * @default - auto-generated if undefined.
    */
   readonly serviceName?: string;
+
+  /**
+   * Settings for an App Runner VPC connector to associate with the service.
+   *
+   * @default - no VPC connector, uses the DEFAULT egress type instead
+   */
+  readonly vpcConnector?: IVpcConnector;
 }
 
 /**
@@ -792,6 +800,12 @@ export class Service extends cdk.Resource {
         imageRepository: source.imageRepository ? this.renderImageRepository() : undefined,
         codeRepository: source.codeRepository ? this.renderCodeConfiguration() : undefined,
       },
+      networkConfiguration: {
+        egressConfiguration: {
+          egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT',
+          vpcConnectorArn: this.props.vpcConnector?.vpcConnectorArn,
+        },
+      },
     });
 
     // grant required privileges for the role